BreachForums Is DEAD — Cybercrime’s Biggest Empire Just Got Crushed!

A coordinated law enforcement operation in France has resulted in the arrest of key figures behind BreachForums, one of the most active and influential marketplaces for cybercriminals in recent years. The takedown marks a significant disruption in the cybercriminal economy, highlighting both the global reach of modern threat actors and the increasing sophistication of cross-border cybercrime investigations.

Overview of the Arrests

On June 24, 2025, France’s specialized cybercrime unit BL2C (Brigade de Lutte Contre la Cybercriminalité) executed simultaneous raids in:

Hauts-de-Seine (Paris area)
Seine-Maritime (Normandy)
Réunion Island (French overseas territory)

These actions led to the arrest of five individuals believed to be key operators and moderators of BreachForums v2, a reboot of the original criminal marketplace.

Arrested Suspects (Online Handles):

ShinyHunters – Alleged lead administrator with a long-standing record of high-impact breaches.
IntelBroker – Notoriously linked to breaches of government and Fortune 500 networks.
Hollow – Identified in historical forum posts as a moderator.
Noct
Depressed

French news outlet Le Parisien also confirmed that IntelBroker had been secretly arrested earlier in February 2025, though this only became public recently.

What Was BreachForums?

BreachForums served as a digital underground market, where cybercriminals could:

Trade and sell stolen credentials, databases, and identity records
Monetize access to compromised corporate networks
Promote ransomware-as-a-service (RaaS) partnerships
Share tools, exploits, and even personal data leaks of public figures

The forum originally gained notoriety in 2023 when its founder, Conor Brian FitzPatrick (alias Pompompurin), was arrested. Following its shutdown, a second iteration — BreachForums v2 — emerged, operated by the individuals now arrested in France.

Attribution and High-Profile Breaches

The arrested individuals are linked to numerous data breaches and cyberattacks, both within France and globally. According to French authorities and threat intelligence analysts, these operators were behind:

French Targets:

France Travail (formerly Pôle Emploi): One of the most significant breaches in France, compromising data of over 43 million citizens.
Boulanger
SFR
French Football Federation

Global Targets:

IntelBroker: Attributed to attacks on:
- DC Health Link (U.S. Congress healthcare system)
- Europol
- General Electric
- AMD, Cisco, Nokia, HPE, Weee!
ShinyHunters: Implicated in:
- Salesforce, PowerSchool
- Snowflake-related leaks affecting:
  - Santander, AT&T, Ticketmaster, Neiman Marcus, Advance Auto Parts, Cylance

These breaches often involved the exfiltration and sale of highly sensitive personal, financial, and corporate data, as well as unauthorized access to internal systems and employee portals.

BreachForums’ Demise

In April 2025, BreachForums v2 went offline following a MyBB zero-day exploit that compromised the platform itself. The shutdown is now believed to be permanent.

Cybercriminals have since scattered across private Telegram groups, dark web marketplaces, and decentralized platforms — but no equivalent hub has yet risen to replace BreachForums.

Implications for the Cybersecurity Community

1. Operational Disruption

This arrest significantly disrupts the coordination and monetization of cybercrime. It removes trusted facilitators and depletes the market’s perceived safety.

2. Digital Evidence Opportunity

Seized servers, devices, and forum logs may provide a wealth of intelligence for future investigations, victim notifications, and threat actor unmasking.

3. Forum Fragmentation

Threat actors are now likely to fragment across smaller, harder-to-monitor platforms. Security teams must broaden their threat intel sources and include Telegram, IRC clones, and federated forums.

Strategic Recommendations for Security Teams

Proactively monitor leaked data: Especially for companies named in past or present BreachForums posts.
Correlate breach indicators: Use breach forums, paste sites, and OSINT to triangulate potential exposure.
Enhance detection: Focus on credential stuffing, VPN abuse, and abnormal login patterns following leaks.
Track actor migration: Leverage threat intel feeds to follow the diaspora of threat actors post-forum shutdown.